Skip to main content

SecretKey

age_setup::secret_key

Struct SecretKey 

Source 
pub struct SecretKey { /* private fields */ }
Expand description

A validated age secret key protected by memory zeroization.

SecretKey wraps the raw key string inside Zeroizing, which guarantees that the memory is securely erased when the value is dropped. This prevents secrets from lingering in memory dumps or swap files.

§Validation

The key is validated at construction time via new:

  • It must be non‑empty.
  • It must start with the string AGE-SECRET-KEY-1 (case‑sensitive).

§Security properties

  • Redacted displayDisplay and Debug print [REDACTED], never the actual key.
  • Zeroization on drop – memory is overwritten with zeros when the SecretKey (or any clone) is dropped.
  • Cloneable – cloning creates a new independent Zeroizing copy that is also zeroized separately.

§Examples

use age_setup::SecretKey;

let sk = SecretKey::new("AGE-SECRET-KEY-1mytestkey".into())?;
println!("{}", sk);                       // prints: [REDACTED]
println!("{:?}", sk);                     // prints: SecretKey { ... [REDACTED] ... }
let raw = sk.expose_secret();             // careful: raw secret exposed

Implementations§

Source§

impl SecretKey

Source

pub fn new(raw: String) -> Result<Self>

Creates a new SecretKey after validating the raw string.

§Validation checks
  1. The key must not be empty.
  2. The key must start with "AGE-SECRET-KEY-1".
§Errors

Returns Error::Validation with a descriptive reason if any check fails.

§Examples
let valid = SecretKey::new("AGE-SECRET-KEY-1abc".into()).unwrap();

let empty = SecretKey::new("".into());
assert!(empty.is_err());

let wrong_prefix = SecretKey::new("ssh-rsa ...".into());
assert!(wrong_prefix.is_err());
Source

pub fn expose_secret(&self) -> &str

Exposes the raw secret key string.

⚠️ Security Warning – this method returns the actual secret material as a &str. Only use it when absolutely necessary (e.g., to pass the key to an age decryption function or to write it to a securely permissioned file). Avoid logging, printing, or storing the returned string in an unsecured location.

§Examples
let sk = SecretKey::new("AGE-SECRET-KEY-1test".into()).unwrap();
let raw = sk.expose_secret();
assert_eq!(raw, "AGE-SECRET-KEY-1test");

Trait Implementations§

Source§

impl Clone for SecretKey

Source§

fn clone(&self) -> SecretKey

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for SecretKey

The Debug implementation records the secret value as [REDACTED] to prevent accidental leakage through debug output.

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for SecretKey

The Display implementation always writes [REDACTED], never the actual key. Use expose_secret if you need the raw string.

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V